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Agenda 


•  Why  should  you  care? 

-  David  Basel,  DISA,  DoD  PPS  Manager 

•  What  do  you  need  to  know? 

-  Cragin  Shelton,  MITRE 

•  How  do  you  use  all  this? 

-  SMSgt  Josh  Walker,  AFCA/EVPI 


Why  should  you  care? 


•  PPSM  supports  “baking  security  in” 

•  PPSM  saves  time  and  money  when 
seeking  C&A 

•  PPSM  increases  speed  of  system 
deployment  in  real  world 

BUT 

Only  if  you  include  PPSM  from  the 
beginning  of  the  SDLC 
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PPSM  Goals 


•  Protect  DoD  Networks  and  Enclaves  - 
Common  Security  Baseline 

•  DoD  Interoperability 

•  Incorporation  into  Certification  and 
Accreditation  Process 

•  Incorporation  into  DoD  Acquisition 
Process 


UIS£  ^  Program  Managers  Benefits 


•  Cost  and  Schedule 

•  Reduce  Re-engineering  and  development 
due  to  Installation  Unique  Requirements 


Interoperability  Benefits 


•  Reduce  operational  startup  time  for 
deployed  units 

•  Provide  standard  architectures, 
implementations  and  solutions 

•  Reduce  initial  cost/eliminate  fielding 
rework  cost 

•  Cleanup  legacy  practices 

•  Reduce  cross  component  conflicts 
(DFAS/DLA/Medical) 


Vulnerability  Management 

Benefits 


•  Identify  existing  vulnerabilities 

•  Prioritize  remediation  efforts  (Fix  the 
problems  Identified) 

•  Advance  notice  of  specific 
vulnerabilities 

•  Potential  attack  vectors  known 
before  exploits  exist 

•  Immediate  impact  analysis  during 
attack/protection  decision 


Communications  Bandwidth 

Benefits 


•  Reduce  Hostile/Unintended  Traffic 

•  Effective  bandwidth  utilization 
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DlS/^what  Do  You  Need  to  Know? 


•  What  aspects  of  your  system  relate 
to  PPSM  requirements? 

-  Cragin  Shelton,  CISSP 
-The  MITRE  Corporation 


DlS/^what  Do  You  Need  to  Know? 


•  What  kind  of  network  traffic  are 
you  creating? 

-Is  it  OK  to  use? 

-Is  it  being  used  correctly? 

•  Where  does  that  traffic  go? 
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MS/t  What  Kind  of  Traffic? 


•  Internet  Protocol 

•  Application  Service 

•  Port 


•  SSTC  2005 

•  Crosstalk  May  2005 
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Evaluating  Traffic  Types 


•  Is  it  OK  to  use? 

-  PPS  Category  Assignments  List  (CAL) 

•  Understand  the  Color  Code 

•  Is  it  being  used  correctly? 

-Vulnerability  Assessment  Reports 

•  Known  or  foreseeable  problems 

•  Configuration  Guidelines 

•  Mitigation  Steps 
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IMS^Where  Does  That  Traffic  Go? 


•  Which  networks  are  the  computers 
on? 

•  Which  network  boundaries  does  the 
traffic  cross? 
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How  Many  Networks? 


NIPRNet 

•  Internet 

SIPRNet 

•  Boeing 

NMCI 

•  Lockheed  Martin 

Hill  AFB 

•  State  Department 

DREN 

•  Homeland  Security 

9th  Air  Force 

•  et  cetera 

Post  Medical 

Center  LAN 

DECC  DMZ 
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Network  Types 


•  External  Network 

•  DoD  Network 

•  DoD  DMZ 

•  DoD  Enclave 

•  Enclave  DMZ 
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Network  Boundaries 


•  Where  networks  connect 

•  Where  security  rules  change 

•  Where  security  authorities 
change 

•  Where  rules  are  enforced 
(firewalls) 

Direction  matters 
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Boundary  Crossings 


I .  External  — ►  DoD  Network 

3.  External  — >  DoD  DMZ 

5.  DoD  DMZ  -> 

DoD  Network 

7.  DoD  Network  — ► 

DoD  Enclave 

9.  DoD  Network  — ► 

Enclave  DMZ 

II.  Enclave  DMZ  — > 

DoD  Enclave 

13.  DoD  Enclave  — > 

External 

1 5.  DoD  Network  <-► 

DoD  Network 


2.  DoD  Network  — ►  External 

4.  DoD  DMZ  — >  External 

6.  DoD  Network  — > 

DoD  DMZ 

8.  DoD  Enclave  — ► 

DoD  Network 

10.  Enclave  DMZ  — > 

DoD  Network 

12.  DoD  Enclave  — ► 

Enclave  DMZ 

14.  External  — ► 

DoD  Enclave 

16.  DoD  Enclave  <-► 

DoD  Enclave 
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Network  Boundary  Model 


DoD 

Network 

Connections 
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References 


•  DoD  Instruction  8551 .1 

•  PPS  Assurance  Category 
Assignments  List  (CAL) 

•  PPS  Vulnerability  Assessment 
Reports 


http://iase.disa.mil/ports 
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Definitions 


•  Port 

-  Sub-address  assigned  to  a  program  on  a  computer 

-  One  program  may  use  one  common  port  for  listening, 
but  separate,  temporary  ports  for  each  specific 
conversation. 

•  Protocol 

-  Generally,  rules  on  format,  order,  and  content  for 
communication. 

-  Specifically,  rules  to  tell  how  to  handle  packets  traveling 
on  the  Internet. 

•  Service 

-  Particular  rule  set  for  how  an  application  program 
communicates. 

-  Also  called  Application  Service,  Data  Service  or 
Application  Protocol 
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Acronyms 


ACAL 

Assurance  Category  Assignments  List 

AFCA 

Air  Force  Communications  Agency 

C&A 

Certificatino  &  Accreditation 

CAL 

Category  Assignments  List 

DECC 

Defense  Enterprise  Computing  Center 

DFAS 

Defense  Finance  &  Accounting  Service 

DITSCAP 

DoD  Information  Technology  Security  Certification 
and  Accreditation  Process 

DLA 

Defense  Logistics  Agency 

DMZ 

Demilitarized  Zone 

DREN 

Defense  Research  &  Engineering  Network 

IP 

Internet  Protocol 

LAN 

Local  Area  Network 

NIPRNet 

uNclassified  IP  Router  Network 

NMCI 

Navy  /  Marine  Corps  Intranet 

PPSM 

Port,  Protocol,  &  Service  Management 

SDLC 

System  Development  Life  Cycle 

SIPRNet 

Secret  IP  Router  Network 
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How  do  you  use  all  this 


SMSgt  Josh  Walker 

AFCA 

SSTC,  May  1 , 2006 


How  do  you  use  all  this? 


•  Perspective  on  integration  and 
implementation  of  PPS  by  Air  Force 

-  SMSgt  Josh  Walker 
AFCA/EVPI 
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How  do  you  use  all  this? 


•  During  Design: 

-  Use  DoD  ACAL  to  determine  proper  PPS  to 
use  based  upon  risk  factors 

-  Use  PPS  VA  reports  to  determine  “best 
practices”  for  configuration  and  use  of 
PPS 

-  Use  “implementation  guidelines”  in  your 
designs 

•  Make  security  a  fore-thought  instead  of 

after-thought 
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Document,  document 


•  During  Building  and  Testing: 

-  Determine  the  overall  system  architecture 
(physical  and  logical) 

-  All  possible  system  interfaces  at  TCP/IP  layer 

-  Complete  data  flows  at  TCP/IP  layer 

•  Determine  your  network  boundaries 

-  Overlay  your  system  architecture  onto  “DoD 
Network  Boundary  Model” 

-  Network  boundaries  all  based  upon  source  and 
destination  (your  system  interfaces  and  data 
flows) 
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Example  -  Network  Connections 


Approval  and  Registration 

•  Prior  to  Release: 

-  Integrate  complete  PPS  information  into 
DITSCAP*  documentation 

-  Receive  approval  thru  C&A  or  other  service 
component/agency  process 

-  Register  system  PPS  with  DoD 

•  Impact  of  above: 

-  Gives  field  “heads-up”  on  your  system’s 
deployment  and  impact  to  their  enclave  security 

-  Approval  and  registration  are  necessary  steps 
to  allow  your  PPS  across  network  boundaries 


*DITSCAP — DoD  Information  Technology  Security  Certification  and  Accreditation  Process 
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Implementation 

•  During  Release  and  Support: 

-  Maintain  adherence  to  latest  DoD  PPS  CAL  risk 
designations  and  implementation  guidelines 

-  Do  policy  changes  impact  your  system? 

-  Are  any  system/network  interface/data  flow 
changes  necessary? 

-  All  part  of  continuing  risk  management  and  C&A 
process 


-  Proper  approval  will  show  how  your  PPS 
vulnerabilities  were  addressed  and  mitigated 

-  Proper  registration  will  give  DoD  visibility  into 
PPS  necessary  for  your  system  operation 
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Air  Force  References 


•  AF  Instruction  33-137,  Ports,  Protocols 
and  Services  Management 

•  AF  PPS  Matrix 

•  AF  PPS  Management  Documentation 
Guide 

-  “AF-DoD  PPS  Worksheet” 


https  ://private.afca.af.mil/afcaia/info_services/compusec_sec.cfm?COMPID=11 
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